Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report CHEQUE COPY.exe

Overview

General Information

Sample Name:CHEQUE COPY.exe
Analysis ID:355626
MD5:ec067b73f3156aedbd9158f107952eb8
SHA1:6353de54ce12dfd2cd86a3dc2824c7448157a821
SHA256:3f6f1635ca9660f24bf4e9527ec6136ed50ad9a8a88e442768143d55eb73a6af
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CHEQUE COPY.exe (PID: 6828 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' MD5: EC067B73F3156AEDBD9158F107952EB8)
    • CHEQUE COPY.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' MD5: EC067B73F3156AEDBD9158F107952EB8)
      • schtasks.exe (PID: 7096 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7148 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • CHEQUE COPY.exe (PID: 6200 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
    • CHEQUE COPY.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
  • dhcpmon.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
    • dhcpmon.exe (PID: 6356 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: EC067B73F3156AEDBD9158F107952EB8)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1c85b:$a: NanoCore
  • 0x1c8b4:$a: NanoCore
  • 0x1c8f1:$a: NanoCore
  • 0x1c96a:$a: NanoCore
  • 0x1c8bd:$b: ClientPlugin
  • 0x1c8fa:$b: ClientPlugin
  • 0x1d1f8:$b: ClientPlugin
  • 0x1d205:$b: ClientPlugin
  • 0x129df:$e: KeepAlive
  • 0x1cd45:$g: LogClientMessage
  • 0x1ccc5:$i: get_Connected
  • 0xcc91:$j: #=q
  • 0xccc1:$j: #=q
  • 0xccfd:$j: #=q
  • 0xcd25:$j: #=q
  • 0xcd55:$j: #=q
  • 0xcd85:$j: #=q
  • 0xcdb5:$j: #=q
  • 0xcde5:$j: #=q
  • 0xce01:$j: #=q
  • 0xce31:$j: #=q
0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x43195:$a: NanoCore
    • 0x431ee:$a: NanoCore
    • 0x4322b:$a: NanoCore
    • 0x432a4:$a: NanoCore
    • 0x5694f:$a: NanoCore
    • 0x56964:$a: NanoCore
    • 0x56999:$a: NanoCore
    • 0x6f95b:$a: NanoCore
    • 0x6f970:$a: NanoCore
    • 0x6f9a5:$a: NanoCore
    • 0x431f7:$b: ClientPlugin
    • 0x43234:$b: ClientPlugin
    • 0x43b32:$b: ClientPlugin
    • 0x43b3f:$b: ClientPlugin
    • 0x5670b:$b: ClientPlugin
    • 0x56726:$b: ClientPlugin
    • 0x56756:$b: ClientPlugin
    • 0x5696d:$b: ClientPlugin
    • 0x569a2:$b: ClientPlugin
    • 0x6f717:$b: ClientPlugin
    • 0x6f732:$b: ClientPlugin
    0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x146bd:$x1: NanoCore.ClientPluginHost
    • 0x146fa:$x2: IClientNetworkHost
    • 0x1822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 109 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        11.2.CHEQUE COPY.exe.415058.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 303 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\CHEQUE COPY.exe, ProcessId: 6924, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\CHEQUE COPY.exe' , ParentImage: C:\Users\user\Desktop\CHEQUE COPY.exe, ParentProcessId: 6924, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp', ProcessId: 7096

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
        Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 45%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\AppData\Local\Temp\l0k0ivt1gwq.dllReversingLabs: Detection: 17%
        Multi AV Scanner detection for submitted fileShow sources
        Source: CHEQUE COPY.exeVirustotal: Detection: 45%Perma Link
        Source: CHEQUE COPY.exeReversingLabs: Detection: 27%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: CHEQUE COPY.exeJoe Sandbox ML: detected
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 15.2.dhcpmon.exe.4a60000.9.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 3.2.CHEQUE COPY.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 11.2.CHEQUE COPY.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack
        Uses 32bit PE filesShow sources
        Source: CHEQUE COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: CHEQUE COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: wntdll.pdbUGP source: CHEQUE COPY.exe, 00000001.00000003.638726872.0000000002E30000.00000004.00000001.sdmp, CHEQUE COPY.exe, 0000000A.00000003.649783671.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.669824111.0000000002EA0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: CHEQUE COPY.exe, 00000001.00000003.638726872.0000000002E30000.00000004.00000001.sdmp, CHEQUE COPY.exe, 0000000A.00000003.649783671.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.669824111.0000000002EA0000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00406448 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00404A29 FindFirstFileExW,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: chinomso.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: chinomso.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 185.150.24.55:7688
        Source: Joe Sandbox ViewIP Address: 185.150.24.55 185.150.24.55
        Source: Joe Sandbox ViewASN Name: SKYLINKNL SKYLINKNL
        Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
        Source: CHEQUE COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: CHEQUE COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: CHEQUE COPY.exe, 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.672627448.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.901866159.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.26dba7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.24ab998.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.246cc98.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_6FC51A98
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0040A2A5
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0232E471
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0232E480
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0232BBD4
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_050FF5F8
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_050F9788
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_050FA5F8
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_050FA610
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05396550
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05393E30
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0539C698
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0539D3A8
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05394A50
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0539D466
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0539C68F
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05394B08
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05DA0040
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_0040A2A5
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_0229E471
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_0229E480
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_0229BBD4
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_051DF5F8
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_051D9788
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_051DA5D0
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05383E30
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05384A50
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05385952
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05385330
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05384B08
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0249E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0249E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0249BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_051CF5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_051C9788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_051CA5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_051CA610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05393E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05394A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05395330
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05394B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_0040A2A5
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: String function: 00401ED0 appears 69 times
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: String function: 0040569E appears 54 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 46 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 36 times
        Source: CHEQUE COPY.exe, 00000001.00000003.640133222.0000000002F46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000001.00000002.642064705.0000000002740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.902407691.00000000063F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.901375431.0000000005250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.901970859.00000000058E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 00000003.00000002.901715815.00000000057B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000A.00000003.649949807.00000000030AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000A.00000002.655806620.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exe, 0000000B.00000002.675436648.0000000005350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CHEQUE COPY.exe
        Source: CHEQUE COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.672627448.0000000002490000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.901866159.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.901866159.0000000005820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.26dba7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.26dba7c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.24ab998.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.24ab998.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.5820000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.246cc98.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.246cc98.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/17@23/1
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_10004207 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_01
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsc691C.tmpJump to behavior
        Source: CHEQUE COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: CHEQUE COPY.exeVirustotal: Detection: 45%
        Source: CHEQUE COPY.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile read: C:\Users\user\Desktop\CHEQUE COPY.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
        Source: unknownProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: CHEQUE COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: wntdll.pdbUGP source: CHEQUE COPY.exe, 00000001.00000003.638726872.0000000002E30000.00000004.00000001.sdmp, CHEQUE COPY.exe, 0000000A.00000003.649783671.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.669824111.0000000002EA0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: CHEQUE COPY.exe, 00000001.00000003.638726872.0000000002E30000.00000004.00000001.sdmp, CHEQUE COPY.exe, 0000000A.00000003.649783671.0000000002F90000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.669824111.0000000002EA0000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 3.2.CHEQUE COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 11.2.CHEQUE COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 3.2.CHEQUE COPY.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeUnpacked PE file: 11.2.CHEQUE COPY.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.0.unpack
        .NET source code contains potential unpackerShow sources
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_6FC52F60 push eax; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_050F7648 push eax; iretd
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_05398D61 push 4805248Ah; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_053985EA push 60052486h; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00401F16 push ecx; ret
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_051D7648 push eax; iretd
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_05386E5D push FFFFFF8Bh; iretd
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F16 push ecx; ret
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_051C7648 push eax; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05396E5D push FFFFFF8Bh; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00401F16 push ecx; ret
        Source: initial sampleStatic PE information: section name: .data entropy: 7.72282303822
        Source: initial sampleStatic PE information: section name: .data entropy: 7.72282303822
        Source: initial sampleStatic PE information: section name: .data entropy: 7.72282303822
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 15.2.dhcpmon.exe.4a60000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsx694C.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsj85AE.tmp\System.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsvA2AC.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\l0k0ivt1gwq.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeFile opened: C:\Users\user\Desktop\CHEQUE COPY.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeWindow / User API: threadDelayed 7751
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeWindow / User API: threadDelayed 1872
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeWindow / User API: foregroundWindowGot 854
        Source: C:\Users\user\Desktop\CHEQUE COPY.exe TID: 4528Thread sleep time: -19369081277395017s >= -30000s
        Source: C:\Users\user\Desktop\CHEQUE COPY.exe TID: 6384Thread sleep count: 40 > 30
        Source: C:\Users\user\Desktop\CHEQUE COPY.exe TID: 4672Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6524Thread sleep count: 43 > 30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6640Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00406448 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_004027A1 FindFirstFileA,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00404A29 FindFirstFileExW,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00404A29 FindFirstFileExW,
        Source: CHEQUE COPY.exe, 00000003.00000002.902407691.00000000063F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: CHEQUE COPY.exe, 00000003.00000002.902407691.00000000063F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: CHEQUE COPY.exe, 00000003.00000002.902407691.00000000063F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: CHEQUE COPY.exe, 00000003.00000002.902407691.00000000063F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_6FC51A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_1000456E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_10004771 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 10_2_1000456E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 10_2_10004771 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_004035F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_004067FE GetProcessHeap,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00401E1D SetUnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\CHEQUE COPY.exe protection: execute and read and write
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp'
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeProcess created: C:\Users\user\Desktop\CHEQUE COPY.exe 'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: CHEQUE COPY.exe, 00000003.00000002.898187357.0000000002539000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: CHEQUE COPY.exe, 00000003.00000002.897638734.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: CHEQUE COPY.exe, 00000003.00000002.897638734.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: CHEQUE COPY.exe, 00000003.00000002.897638734.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_0040208D cpuid
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 3_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeCode function: 1_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\CHEQUE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: CHEQUE COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY.exe, 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: CHEQUE COPY.exe, 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: CHEQUE COPY.exe, 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6356, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6200, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 5852, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6116, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CHEQUE COPY.exe PID: 6924, type: MEMORY
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36ee3b6.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2db0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f7815.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.5774e8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a60000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e00000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c4629.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c7815.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.2e11458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.3675530.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.34c31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.CHEQUE COPY.exe.2dc1458.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.23f0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34c31ec.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4960000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.3445530.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.34be3b6.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4a5448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2771458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.CHEQUE COPY.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.4920000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.36f31ec.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.3.CHEQUE COPY.exe.4a5448.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.CHEQUE COPY.exe.2760000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.CHEQUE COPY.exe.4fc0000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4a60000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.dhcpmon.exe.4d0ea0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.CHEQUE COPY.exe.58c0000.13.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.CHEQUE COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing32NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355626 Sample: CHEQUE COPY.exe Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 56 chinomso.duckdns.org 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 14 other signatures 2->64 9 CHEQUE COPY.exe 18 2->9         started        13 dhcpmon.exe 16 2->13         started        15 CHEQUE COPY.exe 16 2->15         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\System.dll, PE32 9->46 dropped 68 Maps a DLL or memory area into another process 9->68 17 CHEQUE COPY.exe 1 12 9->17         started        48 C:\Users\user\AppData\...\l0k0ivt1gwq.dll, PE32 13->48 dropped 50 C:\Users\user\AppData\Local\...\System.dll, PE32 13->50 dropped 22 dhcpmon.exe 3 13->22         started        52 C:\Users\user\AppData\Local\...\System.dll, PE32 15->52 dropped 24 CHEQUE COPY.exe 3 15->24         started        signatures6 process7 dnsIp8 54 chinomso.duckdns.org 185.150.24.55, 49734, 49738, 49740 SKYLINKNL Netherlands 17->54 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->36 dropped 38 C:\Users\user\AppData\Local\...\tmp7DCD.tmp, XML 17->38 dropped 40 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->40 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->66 26 schtasks.exe 1 17->26         started        28 schtasks.exe 1 17->28         started        42 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 22->42 dropped 44 C:\Users\user\AppData\...\CHEQUE COPY.exe.log, ASCII 24->44 dropped file9 signatures10 process11 process12 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CHEQUE COPY.exe45%VirustotalBrowse
        CHEQUE COPY.exe28%ReversingLabsWin32.Backdoor.NanoBot
        CHEQUE COPY.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe45%VirustotalBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe28%ReversingLabsWin32.Backdoor.NanoBot
        C:\Users\user\AppData\Local\Temp\l0k0ivt1gwq.dll17%ReversingLabsWin32.Trojan.Cerbu
        C:\Users\user\AppData\Local\Temp\nsj85AE.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsj85AE.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsvA2AC.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsvA2AC.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsx694C.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsx694C.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.1.CHEQUE COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.CHEQUE COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.CHEQUE COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.CHEQUE COPY.exe.4a60000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.1.CHEQUE COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.CHEQUE COPY.exe.4fc0000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        15.2.dhcpmon.exe.4a60000.9.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.2.CHEQUE COPY.exe.58c0000.13.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        SourceDetectionScannerLabelLink
        chinomso.duckdns.org8%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        chinomso.duckdns.org8%VirustotalBrowse
        chinomso.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        chinomso.duckdns.org
        		185.150.24.55
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        chinomso.duckdns.orgtrue
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorCHEQUE COPY.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorCHEQUE COPY.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.150.24.55
            		unknownNetherlands
            		44592SKYLINKNLtrue

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:355626
            Start date:20.02.2021
            Start time:09:28:14
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 10m 23s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:CHEQUE COPY.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@15/17@23/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 11.5% (good quality ratio 10.7%)
            • Quality average: 78.2%
            • Quality standard deviation: 30.2%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 168.61.161.212, 92.122.145.220, 104.43.139.144, 13.88.21.125, 52.255.188.83, 51.104.146.109, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 51.104.139.180, 92.122.213.247, 92.122.213.194, 51.132.208.181
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:29:03Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\CHEQUE COPY.exe" s>$(Arg0)
            09:29:03API Interceptor1031x Sleep call for process: CHEQUE COPY.exe modified
            09:29:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            09:29:05Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.150.24.55CHEQUE COPY.jarGet hashmaliciousBrowse
              PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                  FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                    FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                      TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                        TNT TRACKING DETAILS.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          chinomso.duckdns.orgPAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
                          • 194.5.98.56
                          odou7cg844.exeGet hashmaliciousBrowse
                          • 129.205.124.145
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.86
                          AWB RECEIPT.exeGet hashmaliciousBrowse
                          • 129.205.124.132
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.113.246
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.227.36
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.124.140
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.85.85
                          DHL AWB TRACKING DETAIILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          39Quot.exeGet hashmaliciousBrowse
                          • 185.165.153.35

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          SKYLINKNLQuotation-3276.PDF.exeGet hashmaliciousBrowse
                          • 185.150.24.44
                          CHEQUE COPY.jarGet hashmaliciousBrowse
                          • 185.150.24.55
                          MRC20201030XMY, pdf.exeGet hashmaliciousBrowse
                          • 185.150.24.6
                          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          QUOTATION 20 10 2020.exeGet hashmaliciousBrowse
                          • 185.150.24.48
                          NEW PO638363483.exeGet hashmaliciousBrowse
                          • 185.150.24.9
                          NEW PO6487382.exeGet hashmaliciousBrowse
                          • 185.150.24.9

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Local\Temp\nsj85AE.tmp\System.dllBank Details.exeGet hashmaliciousBrowse
                            Re-QUOTATION.exeGet hashmaliciousBrowse
                              shed.exeGet hashmaliciousBrowse
                                purchase order.exeGet hashmaliciousBrowse
                                  QUOTATION_PDF_SCAN_COPY.exeGet hashmaliciousBrowse
                                    DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                      Firm Order.exeGet hashmaliciousBrowse
                                        Documents_pdf.exeGet hashmaliciousBrowse
                                          QUOTATION.exeGet hashmaliciousBrowse
                                            banka bilgisi.exeGet hashmaliciousBrowse
                                              MV TEAL BULKERS.xlsxGet hashmaliciousBrowse
                                                ForeignRemittance_20210219_USD.xlsxGet hashmaliciousBrowse
                                                  HBL VRNA00872.xlsxGet hashmaliciousBrowse
                                                    statement.xlsxGet hashmaliciousBrowse
                                                      _Doc_Shipment_330393_.xlsxGet hashmaliciousBrowse
                                                        HBL VRN0924588.xlsxGet hashmaliciousBrowse
                                                          SHED.EXEGet hashmaliciousBrowse
                                                            c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                              Offer18022021.xlsxGet hashmaliciousBrowse
                                                                DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                                  C:\Users\user\AppData\Local\Temp\nsvA2AC.tmp\System.dllBank Details.exeGet hashmaliciousBrowse
                                                                    Re-QUOTATION.exeGet hashmaliciousBrowse
                                                                      shed.exeGet hashmaliciousBrowse
                                                                        purchase order.exeGet hashmaliciousBrowse
                                                                          QUOTATION_PDF_SCAN_COPY.exeGet hashmaliciousBrowse
                                                                            DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                                              Firm Order.exeGet hashmaliciousBrowse
                                                                                Documents_pdf.exeGet hashmaliciousBrowse
                                                                                  QUOTATION.exeGet hashmaliciousBrowse
                                                                                    banka bilgisi.exeGet hashmaliciousBrowse
                                                                                      MV TEAL BULKERS.xlsxGet hashmaliciousBrowse
                                                                                        ForeignRemittance_20210219_USD.xlsxGet hashmaliciousBrowse
                                                                                          HBL VRNA00872.xlsxGet hashmaliciousBrowse
                                                                                            statement.xlsxGet hashmaliciousBrowse
                                                                                              _Doc_Shipment_330393_.xlsxGet hashmaliciousBrowse
                                                                                                HBL VRN0924588.xlsxGet hashmaliciousBrowse
                                                                                                  SHED.EXEGet hashmaliciousBrowse
                                                                                                    c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                                                                      Offer18022021.xlsxGet hashmaliciousBrowse
                                                                                                        DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Category:dropped
                                                                                                          Size (bytes):331665
                                                                                                          Entropy (8bit):7.943201162388639
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:Lx/MKNJ1v1P/51wTavAPyVCow2do2dZo8bBU2lVWoZmriV:B5T1tPxSPyVDdLP9VBkq
                                                                                                          MD5:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          SHA1:6353DE54CE12DFD2CD86A3DC2824C7448157A821
                                                                                                          SHA-256:3F6F1635CA9660F24BF4E9527EC6136ED50AD9A8A88E442768143D55EB73A6AF
                                                                                                          SHA-512:83456705E8BED761FC5091CDE0395314968327FD4929CBC79BD4350765328DF66FE2EE00D9D66A0B23B1246FE44B19C6F3CB3CD3BBBA88E0827442C5E8B79585
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: Virustotal, Detection: 45%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 28%
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L...%.$_.................d....9.....%3............@...........................:...........@.................................8.........:.|............................................................................................................text...0b.......d.................. ..`.rdata..t............h..............@..@.data...x.9..........|..............@....ndata.......@:..........................rsrc...|.....:.....................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHEQUE COPY.exe.log
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.355304211458859
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.355304211458859
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                          Malicious:true
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                          C:\Users\user\AppData\Local\Temp\l0k0ivt1gwq.dll
                                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):10240
                                                                                                          Entropy (8bit):6.946221991408385
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:MeNibu5S6oJROvgAPu8vf1L0HZtbuxw9HqjZ7:E60avgAP3fVSbf5qj
                                                                                                          MD5:8FEC1FE4587680848AB0D0B5F0FD7D62
                                                                                                          SHA1:7192AF111E78841F12772D3C82E2BE33EFAAA28D
                                                                                                          SHA-256:553656F7C7BCCCF8EFF0A2F92D843C194404E5E1A743ABC50C3904A1781168FA
                                                                                                          SHA-512:254390CDD8565E4A2EF92F3C450228BC470EC09F94D6AABDAAA7115EEC5F2C0601F9BA88278B70C4595766A7C42A05BE903FCC63444A0E1A119764AB86887BC8
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&8u.bY..bY..bY..bY..tY......oY..E..cY..E..cY..E..cY..RichbY..........................PE..L....l0`...........!......... ............... ...............................P......................................@#..H...p ....................................................................................... ..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\mkecgmj.p
                                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):279040
                                                                                                          Entropy (8bit):7.999364271075393
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:6144:P1v1P/51wTavAPyVCow2do2dZo8bBU2lVWoZmrii:P1tPxSPyVDdLP9VBkr
                                                                                                          MD5:38FCBFD0FE1E67D1B13FF1A60CA4E8E2
                                                                                                          SHA1:55ED4A22CB76D20406B1FB042415D89697223A6C
                                                                                                          SHA-256:52B03BF52B4638A5AECB44A436B01A612FB261920FAE67A5DAC0E54CD9EDD574
                                                                                                          SHA-512:47B174E568A37F91B49396F5FC7B1B348BF91A2E6B0B06D14CFA0321CAB0BFF0C151FBE00B9B9B2E810525D8A4627AE376268766A54E792D1229E7607476F51A
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: p.L.."SL<. 4.....`...e\.'.S...T.4~..w.%K.m.....p.P.....l;.r.n..~..Z.3).........R...#.J."YY...V..'../..U^u..B.?f*,Y.....2......OeB.k,..,m..]l..*.....{}J.Y5....o..%g...}.a&.....s0..+..=.>^....@.}..@..9.T.9.gD\..=:.4.a..*Q2...l.e.|..f{.X..R.C,.l.f+....V.|.. .E..sN....W..hu{<. W..U..E.....a.F.Lc.F.....S..E.....T.....,t.b.T...7h...1...)....[[j`..#.+.U."%K..+.....D\=..JB.-g......d.c.Q.c6....3....D.C..gQ..y.PK ....<G...w....r..!.H...0.$.#....Y.H.d.S..C...o..Y.....3.M_....d.l.}){...r.4...................ZI.]5.. ].D%~M.4.{.B....L.l..}.....x....O.0..g....P.t+.*.G.j.`.x]\e........@DZb..Q.S.*.|....;..v.;r.|.T.R.[E.@e@....5.,.v.\q...uz*.a.+"....O...N.%<,...w.j..k...~...UM..o.j..+.,N.~..UM....u...).d......R........".j.L f.,.j....'..aE......Q..'i.....-cJ9..u.r.$.nLXi....Sx.i{......n..=..../.$..+.C.^>...V..N\.n.(*m...Q....i%..P.Q..3 ..e>.)"u.GH!".a..c~f.SJ.8b...k.B.5.,0......@...M..=.}.l.(.2....X......jwL.......#.z...1.h$....RF.....".....5..8.......
                                                                                                          C:\Users\user\AppData\Local\Temp\nsj85AE.tmp\System.dll
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11776
                                                                                                          Entropy (8bit):5.855045165595541
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                          MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                          SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                          SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                          SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Bank Details.exe, Detection: malicious, Browse
                                                                                                          • Filename: Re-QUOTATION.exe, Detection: malicious, Browse
                                                                                                          • Filename: shed.exe, Detection: malicious, Browse
                                                                                                          • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                                          • Filename: QUOTATION_PDF_SCAN_COPY.exe, Detection: malicious, Browse
                                                                                                          • Filename: DHL Shipment Notification 7465649870,pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: Firm Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: Documents_pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: QUOTATION.exe, Detection: malicious, Browse
                                                                                                          • Filename: banka bilgisi.exe, Detection: malicious, Browse
                                                                                                          • Filename: MV TEAL BULKERS.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: ForeignRemittance_20210219_USD.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: HBL VRNA00872.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: statement.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: _Doc_Shipment_330393_.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: HBL VRN0924588.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: SHED.EXE, Detection: malicious, Browse
                                                                                                          • Filename: c4p1vG05Z8.exe, Detection: malicious, Browse
                                                                                                          • Filename: Offer18022021.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: DHL Shipment Notification 7465649870.pdf.exe, Detection: malicious, Browse
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsvA2AC.tmp\System.dll
                                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11776
                                                                                                          Entropy (8bit):5.855045165595541
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                          MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                          SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                          SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                          SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: Bank Details.exe, Detection: malicious, Browse
                                                                                                          • Filename: Re-QUOTATION.exe, Detection: malicious, Browse
                                                                                                          • Filename: shed.exe, Detection: malicious, Browse
                                                                                                          • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                                          • Filename: QUOTATION_PDF_SCAN_COPY.exe, Detection: malicious, Browse
                                                                                                          • Filename: DHL Shipment Notification 7465649870,pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: Firm Order.exe, Detection: malicious, Browse
                                                                                                          • Filename: Documents_pdf.exe, Detection: malicious, Browse
                                                                                                          • Filename: QUOTATION.exe, Detection: malicious, Browse
                                                                                                          • Filename: banka bilgisi.exe, Detection: malicious, Browse
                                                                                                          • Filename: MV TEAL BULKERS.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: ForeignRemittance_20210219_USD.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: HBL VRNA00872.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: statement.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: _Doc_Shipment_330393_.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: HBL VRN0924588.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: SHED.EXE, Detection: malicious, Browse
                                                                                                          • Filename: c4p1vG05Z8.exe, Detection: malicious, Browse
                                                                                                          • Filename: Offer18022021.xlsx, Detection: malicious, Browse
                                                                                                          • Filename: DHL Shipment Notification 7465649870.pdf.exe, Detection: malicious, Browse
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\nsx694C.tmp\System.dll
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11776
                                                                                                          Entropy (8bit):5.855045165595541
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                          MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                          SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                          SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                          SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1301
                                                                                                          Entropy (8bit):5.115251788848742
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yq8xtn:cbk4oL600QydbQxIYODOLedq3+8j
                                                                                                          MD5:121D7A1A91E22CE2154D0260A83DE375
                                                                                                          SHA1:E1A642F6194608F5A0D896739A75EE2A07E9E4FC
                                                                                                          SHA-256:5B036902A33AA54797EB0118780D6226372231AF995C260FD163324DF788623C
                                                                                                          SHA-512:642829EBCC236DE0023BF62FFC66294478CC9CE439622464BFF2D72FE1F5E07A8EA1C93177F5CD3D6354CE3E94B974821D5594FED267070483A4AB21A15B3378
                                                                                                          Malicious:true
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                                          C:\Users\user\AppData\Local\Temp\tmp811A.tmp
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):1310
                                                                                                          Entropy (8bit):5.109425792877704
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                                          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                                          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                                          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                                          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8
                                                                                                          Entropy (8bit):2.5
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Dn:D
                                                                                                          MD5:BD1968E6793B05071285CEC4355C6C8E
                                                                                                          SHA1:091BC05662A578369E91AF9A1AC0436C3432F3CC
                                                                                                          SHA-256:4F57377900A157775B7D1644D33219445FAA0EEA90EDF2C1D1984001EF4A6A74
                                                                                                          SHA-512:E9A999866CE5628D266CA4A1DA0577389369BE95F49ED9D2030A0DA0B812B18F5F57632436E8DDB62730B5E0027528FFB50494208CA01F858E5F79153E948C56
                                                                                                          Malicious:true
                                                                                                          Preview: y..y..H
                                                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                                          Process:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):38
                                                                                                          Entropy (8bit):4.238334671954105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:oNt+WfWmS0+q20dA:oNwvmH+TkA
                                                                                                          MD5:3FC5217BE7ACC87B0E5B62A0D947C252
                                                                                                          SHA1:75211E26E82408BE79D04E78CB04E9ECAA18EC0F
                                                                                                          SHA-256:8BA635B37D08E3DAC020EC35190334F6F8A650084AD6A51493133DEBCCF27E1A
                                                                                                          SHA-512:05DAB8B2D1E3A2DABA4A583B367A51A9F295109296E9F3B74ECBAA761D0F92372FB53A1A7ECF6F112B5D87F41804591F03849BC384DD494BF2B7E6EC3DAAF0E8
                                                                                                          Malicious:false
                                                                                                          Preview: C:\Users\user\Desktop\CHEQUE COPY.exe

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                          Entropy (8bit):7.943201162388639
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:CHEQUE COPY.exe
                                                                                                          File size:331665
                                                                                                          MD5:ec067b73f3156aedbd9158f107952eb8
                                                                                                          SHA1:6353de54ce12dfd2cd86a3dc2824c7448157a821
                                                                                                          SHA256:3f6f1635ca9660f24bf4e9527ec6136ed50ad9a8a88e442768143d55eb73a6af
                                                                                                          SHA512:83456705e8bed761fc5091cde0395314968327fd4929cbc79bd4350765328df66fe2ee00d9d66a0b23b1246fe44b19c6f3cb3cd3bbba88e0827442c5e8b79585
                                                                                                          SSDEEP:6144:Lx/MKNJ1v1P/51wTavAPyVCow2do2dZo8bBU2lVWoZmriV:B5T1tPxSPyVDdLP9VBkq
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L...%.$_.................d....9.....%3............@

                                                                                                          File Icon

                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x403325
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x5F24D625 [Sat Aug 1 02:40:37 2020 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          sub esp, 00000184h
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          xor ebx, ebx
                                                                                                          push 00008001h
                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                          mov dword ptr [esp+10h], 0040A198h
                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                          call dword ptr [004080B8h]
                                                                                                          call dword ptr [004080BCh]
                                                                                                          and eax, BFFFFFFFh
                                                                                                          cmp ax, 00000006h
                                                                                                          mov dword ptr [007A2F6Ch], eax
                                                                                                          je 00007FF5948A80D3h
                                                                                                          push ebx
                                                                                                          call 00007FF5948AB236h
                                                                                                          cmp eax, ebx
                                                                                                          je 00007FF5948A80C9h
                                                                                                          push 00000C00h
                                                                                                          call eax
                                                                                                          mov esi, 004082A0h
                                                                                                          push esi
                                                                                                          call 00007FF5948AB1B2h
                                                                                                          push esi
                                                                                                          call dword ptr [004080CCh]
                                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                                          cmp byte ptr [esi], bl
                                                                                                          jne 00007FF5948A80ADh
                                                                                                          push 0000000Bh
                                                                                                          call 00007FF5948AB20Ah
                                                                                                          push 00000009h
                                                                                                          call 00007FF5948AB203h
                                                                                                          push 00000007h
                                                                                                          mov dword ptr [007A2F64h], eax
                                                                                                          call 00007FF5948AB1F7h
                                                                                                          cmp eax, ebx
                                                                                                          je 00007FF5948A80D1h
                                                                                                          push 0000001Eh
                                                                                                          call eax
                                                                                                          test eax, eax
                                                                                                          je 00007FF5948A80C9h
                                                                                                          or byte ptr [007A2F6Fh], 00000040h
                                                                                                          push ebp
                                                                                                          call dword ptr [00408038h]
                                                                                                          push ebx
                                                                                                          call dword ptr [00408288h]
                                                                                                          mov dword ptr [007A3038h], eax
                                                                                                          push ebx
                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                          push 00000160h
                                                                                                          push eax
                                                                                                          push ebx
                                                                                                          push 0079E528h
                                                                                                          call dword ptr [0040816Ch]
                                                                                                          push 0040A188h

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x97c.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x62300x6400False0.6699609375data6.44188995255IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x80000x12740x1400False0.4337890625data5.06106734837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xa0000x3990780x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x3ac0000x97c0xa00False0.455078125data4.30771149045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                          RT_DIALOG0x3ac1480x100dataEnglishUnited States
                                                                                                          RT_DIALOG0x3ac2480x11cdataEnglishUnited States
                                                                                                          RT_DIALOG0x3ac3640x60dataEnglishUnited States
                                                                                                          RT_VERSION0x3ac3c40x278dataEnglishUnited States
                                                                                                          RT_MANIFEST0x3ac63c0x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                                          SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                                          ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                          USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                                                          Version Infos

                                                                                                          DescriptionData
                                                                                                          LegalCopyrightCopyright orientation
                                                                                                          FileVersion68.67.88.38
                                                                                                          CompanyNamefire escape
                                                                                                          LegalTrademarksAp Ma
                                                                                                          Commentsshoreline
                                                                                                          ProductNamegaoler
                                                                                                          FileDescriptionBarton's echidna
                                                                                                          Translation0x0409 0x04e4

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 20, 2021 09:29:04.682451010 CET497347688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:04.737190962 CET768849734185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:05.244375944 CET497347688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:05.298325062 CET768849734185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:05.806895971 CET497347688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:05.861803055 CET768849734185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:10.216090918 CET497387688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:10.269927979 CET768849738185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:10.770991087 CET497387688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:10.827547073 CET768849738185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:11.333467007 CET497387688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:11.387327909 CET768849738185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:15.874444962 CET497407688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:15.929754019 CET768849740185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:16.443367004 CET497407688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:16.500091076 CET768849740185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:17.006696939 CET497407688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:17.060661077 CET768849740185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:21.173434019 CET497437688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:21.228018999 CET768849743185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:21.740602016 CET497437688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:21.794497967 CET768849743185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:22.303168058 CET497437688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:22.357170105 CET768849743185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:26.479995012 CET497447688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:26.533838034 CET768849744185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:27.038095951 CET497447688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:27.091991901 CET768849744185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:27.600374937 CET497447688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:27.655774117 CET768849744185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:31.763168097 CET497457688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:31.817127943 CET768849745185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:32.319502115 CET497457688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:32.373542070 CET768849745185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:32.882119894 CET497457688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:32.936161041 CET768849745185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:37.042965889 CET497467688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:37.096920013 CET768849746185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:37.601248980 CET497467688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:37.659624100 CET768849746185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:38.226260900 CET497467688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:38.280384064 CET768849746185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:42.573045015 CET497557688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:42.626921892 CET768849755185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:43.132951021 CET497557688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:43.188443899 CET768849755185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:43.695447922 CET497557688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:43.752320051 CET768849755185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:48.163765907 CET497607688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:48.219160080 CET768849760185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:48.727157116 CET497607688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:48.783839941 CET768849760185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:49.289788961 CET497607688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:49.343722105 CET768849760185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:53.434062958 CET497617688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:53.487981081 CET768849761185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:53.993300915 CET497617688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:54.047264099 CET768849761185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:54.555854082 CET497617688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:54.609582901 CET768849761185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:58.803488016 CET497657688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:58.857521057 CET768849765185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:59.368655920 CET497657688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:59.423696995 CET768849765185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:29:59.931174994 CET497657688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:29:59.985225916 CET768849765185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:04.309041023 CET497717688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:04.362966061 CET768849771185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:04.884762049 CET497717688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:04.938821077 CET768849771185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:05.447323084 CET497717688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:05.502799034 CET768849771185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:10.047544956 CET497727688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:10.101521969 CET768849772185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:10.603966951 CET497727688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:10.659145117 CET768849772185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:11.166527033 CET497727688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:11.220618963 CET768849772185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:15.506270885 CET497737688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:15.564398050 CET768849773185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:16.073276043 CET497737688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:16.127351046 CET768849773185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:16.635855913 CET497737688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:16.692507029 CET768849773185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:20.855978012 CET497747688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:20.910017014 CET768849774185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:21.417545080 CET497747688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:21.474658966 CET768849774185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:21.979948044 CET497747688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:22.034101963 CET768849774185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:26.128468990 CET497757688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:26.182354927 CET768849775185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:26.683466911 CET497757688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:26.740122080 CET768849775185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:27.246012926 CET497757688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:27.302422047 CET768849775185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:31.390067101 CET497767688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:31.444163084 CET768849776185.150.24.55192.168.2.4
                                                                                                          Feb 20, 2021 09:30:31.949481964 CET497767688192.168.2.4185.150.24.55
                                                                                                          Feb 20, 2021 09:30:32.005574942 CET768849776185.150.24.55192.168.2.4

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Feb 20, 2021 09:28:50.858154058 CET5912353192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:50.908090115 CET53591238.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:51.822695971 CET5453153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:51.874311924 CET53545318.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:51.942909956 CET4971453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:52.004360914 CET53497148.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:52.760857105 CET5802853192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:52.818367958 CET53580288.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:53.703960896 CET5309753192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:53.764658928 CET53530978.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:54.935142994 CET4925753192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:54.984257936 CET53492578.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:55.869863033 CET6238953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:55.921323061 CET53623898.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:56.836747885 CET4991053192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:56.885438919 CET53499108.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:57.818181038 CET5585453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:57.869813919 CET53558548.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:28:58.820045948 CET6454953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:28:58.881336927 CET53645498.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:00.259080887 CET6315353192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:00.308000088 CET53631538.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:01.280355930 CET5299153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:01.338788033 CET53529918.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:02.409961939 CET5370053192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:02.469748974 CET53537008.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:03.362679958 CET5172653192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:03.415625095 CET53517268.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:04.409420967 CET5679453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:04.445300102 CET5653453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:04.458153963 CET53567948.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:04.665582895 CET53565348.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:07.798640013 CET5662753192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:07.850261927 CET53566278.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:08.764969110 CET5662153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:08.813744068 CET53566218.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:09.732856035 CET6311653192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:09.783145905 CET53631168.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:09.988846064 CET6407853192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:10.213303089 CET53640788.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:10.681179047 CET6480153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:10.729827881 CET53648018.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:15.561894894 CET6172153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:15.782841921 CET53617218.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:20.484283924 CET5125553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:20.535968065 CET53512558.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:21.097795963 CET6152253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:21.157784939 CET53615228.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:26.427056074 CET5233753192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:26.478487015 CET53523378.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:31.700709105 CET5504653192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:31.760209084 CET53550468.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:36.980783939 CET4961253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:37.038008928 CET53496128.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:38.048086882 CET4928553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:38.125420094 CET53492858.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:38.646158934 CET5060153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:38.726509094 CET53506018.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:39.269819975 CET6087553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:39.341459036 CET53608758.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:39.462989092 CET5644853192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:39.566857100 CET53564488.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:39.999485970 CET5917253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:40.056739092 CET53591728.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:40.618684053 CET6242053192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:40.679446936 CET53624208.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:41.213634968 CET6057953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:41.275595903 CET53605798.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:41.955435991 CET5018353192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:42.019148111 CET53501838.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:42.335110903 CET6153153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:42.571342945 CET53615318.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:42.915522099 CET4922853192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:42.972665071 CET53492288.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:44.398801088 CET5979453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:44.456403017 CET53597948.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:44.891921043 CET5591653192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:44.948983908 CET53559168.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:45.743062019 CET5275253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:45.806126118 CET53527528.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:48.103735924 CET6054253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:48.162168980 CET53605428.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:53.375653028 CET6068953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:53.433005095 CET53606898.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:55.895731926 CET6420653192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:55.947396994 CET53642068.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:56.060692072 CET5090453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:56.120268106 CET53509048.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:58.657116890 CET5752553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:58.705873013 CET53575258.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:29:58.829284906 CET5381453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:29:58.901669025 CET53538148.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:04.056679964 CET5341853192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:04.296006918 CET53534188.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:09.986005068 CET6283353192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:10.046027899 CET53628338.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:15.281327963 CET5926053192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:15.504040956 CET53592608.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:20.727509022 CET4994453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:20.785655022 CET53499448.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:26.066606998 CET6330053192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:26.126811981 CET53633008.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:31.331859112 CET6144953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:31.389084101 CET53614498.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:31.935074091 CET5127553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:31.986309052 CET53512758.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:33.459094048 CET6349253192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:33.517997980 CET53634928.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:36.613883972 CET5894553192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:36.662565947 CET53589458.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:41.885508060 CET6077953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:42.106175900 CET53607798.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:47.394042969 CET6401453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:47.445638895 CET53640148.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:52.678965092 CET5709153192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:52.727715015 CET53570918.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:30:58.011396885 CET5590453192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:30:58.071069002 CET53559048.8.8.8192.168.2.4
                                                                                                          Feb 20, 2021 09:31:03.359149933 CET5210953192.168.2.48.8.8.8
                                                                                                          Feb 20, 2021 09:31:03.584403038 CET53521098.8.8.8192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Feb 20, 2021 09:29:04.445300102 CET192.168.2.48.8.8.80x373aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:09.988846064 CET192.168.2.48.8.8.80xf04dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:15.561894894 CET192.168.2.48.8.8.80x28b9Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:21.097795963 CET192.168.2.48.8.8.80x92b2Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:26.427056074 CET192.168.2.48.8.8.80x2f7dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:31.700709105 CET192.168.2.48.8.8.80x531aStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:36.980783939 CET192.168.2.48.8.8.80x40e0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:42.335110903 CET192.168.2.48.8.8.80x45dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:48.103735924 CET192.168.2.48.8.8.80xe0fbStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:53.375653028 CET192.168.2.48.8.8.80x32c9Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:58.657116890 CET192.168.2.48.8.8.80x7bd0Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:04.056679964 CET192.168.2.48.8.8.80x1d81Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:09.986005068 CET192.168.2.48.8.8.80x2336Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:15.281327963 CET192.168.2.48.8.8.80x6b7bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:20.727509022 CET192.168.2.48.8.8.80x1cfbStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:26.066606998 CET192.168.2.48.8.8.80x9154Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:31.331859112 CET192.168.2.48.8.8.80xf7e3Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:36.613883972 CET192.168.2.48.8.8.80xc0ffStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:41.885508060 CET192.168.2.48.8.8.80x8c9fStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:47.394042969 CET192.168.2.48.8.8.80xe2b9Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:52.678965092 CET192.168.2.48.8.8.80xce24Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:58.011396885 CET192.168.2.48.8.8.80x4db3Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:31:03.359149933 CET192.168.2.48.8.8.80xd0b6Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Feb 20, 2021 09:29:04.665582895 CET8.8.8.8192.168.2.40x373aNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:10.213303089 CET8.8.8.8192.168.2.40xf04dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:15.782841921 CET8.8.8.8192.168.2.40x28b9No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:21.157784939 CET8.8.8.8192.168.2.40x92b2No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:26.478487015 CET8.8.8.8192.168.2.40x2f7dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:31.760209084 CET8.8.8.8192.168.2.40x531aNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:37.038008928 CET8.8.8.8192.168.2.40x40e0No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:42.571342945 CET8.8.8.8192.168.2.40x45dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:48.162168980 CET8.8.8.8192.168.2.40xe0fbNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:53.433005095 CET8.8.8.8192.168.2.40x32c9No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:29:58.705873013 CET8.8.8.8192.168.2.40x7bd0No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:04.296006918 CET8.8.8.8192.168.2.40x1d81No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:10.046027899 CET8.8.8.8192.168.2.40x2336No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:15.504040956 CET8.8.8.8192.168.2.40x6b7bNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:20.785655022 CET8.8.8.8192.168.2.40x1cfbNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:26.126811981 CET8.8.8.8192.168.2.40x9154No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:31.389084101 CET8.8.8.8192.168.2.40xf7e3No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:36.662565947 CET8.8.8.8192.168.2.40xc0ffNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:42.106175900 CET8.8.8.8192.168.2.40x8c9fNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:47.445638895 CET8.8.8.8192.168.2.40xe2b9No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:52.727715015 CET8.8.8.8192.168.2.40xce24No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:30:58.071069002 CET8.8.8.8192.168.2.40x4db3No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                                                          Feb 20, 2021 09:31:03.584403038 CET8.8.8.8192.168.2.40xd0b6No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)

                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: CHEQUE COPY.exe PID: 6828 Parent PID: 5896

                                                                                                          General

                                                                                                          Start time:09:28:56
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\CHEQUE COPY.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.642106438.0000000002760000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Reputation:low

                                                                                                          Analysis Process: CHEQUE COPY.exe PID: 6924 Parent PID: 6828

                                                                                                          General

                                                                                                          Start time:09:28:56
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\CHEQUE COPY.exe'
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.780327983.0000000000498000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.896985915.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000001.639777410.0000000000400000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.764460301.0000000000499000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.898053275.0000000002441000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.901950423.00000000058C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.901866159.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.901866159.0000000005820000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.898844721.00000000034BC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.900532284.0000000004A62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.742506685.0000000000499000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.899870723.0000000004920000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.789879813.0000000000499000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.709450530.0000000000499000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.897086081.0000000000489000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Reputation:low

                                                                                                          Analysis Process: schtasks.exe PID: 7096 Parent PID: 6924

                                                                                                          General

                                                                                                          Start time:09:29:01
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7DCD.tmp'
                                                                                                          Imagebase:0xdc0000
                                                                                                          File size:185856 bytes
                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 7108 Parent PID: 7096

                                                                                                          General

                                                                                                          Start time:09:29:02
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff724c50000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: schtasks.exe PID: 7148 Parent PID: 6924

                                                                                                          General

                                                                                                          Start time:09:29:02
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp811A.tmp'
                                                                                                          Imagebase:0xdc0000
                                                                                                          File size:185856 bytes
                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: conhost.exe PID: 7164 Parent PID: 7148

                                                                                                          General

                                                                                                          Start time:09:29:03
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff724c50000
                                                                                                          File size:625664 bytes
                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Analysis Process: CHEQUE COPY.exe PID: 6200 Parent PID: 968

                                                                                                          General

                                                                                                          Start time:09:29:03
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.657465929.0000000002DB0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Reputation:low

                                                                                                          Analysis Process: CHEQUE COPY.exe PID: 5852 Parent PID: 6200

                                                                                                          General

                                                                                                          Start time:09:29:04
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Users\user\Desktop\CHEQUE COPY.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Users\user\Desktop\CHEQUE COPY.exe' 0
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.672768392.000000000347C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.670703063.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.674799984.0000000004FC2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.671006415.000000000055A000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.653978113.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.672627448.0000000002490000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.674570983.0000000004960000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.672690410.0000000003441000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Reputation:low

                                                                                                          Analysis Process: dhcpmon.exe PID: 6116 Parent PID: 968

                                                                                                          General

                                                                                                          Start time:09:29:05
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.676025735.0000000002E00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 45%, Virustotal, Browse
                                                                                                          • Detection: 28%, ReversingLabs
                                                                                                          Reputation:low

                                                                                                          Analysis Process: dhcpmon.exe PID: 6356 Parent PID: 6116

                                                                                                          General

                                                                                                          Start time:09:29:12
                                                                                                          Start date:20/02/2021
                                                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                                                          Imagebase:0x400000
                                                                                                          File size:331665 bytes
                                                                                                          MD5 hash:EC067B73F3156AEDBD9158F107952EB8
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                          Yara matches:
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.688775764.00000000026C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.688804869.0000000003671000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.687956985.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.688460054.00000000023F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.689440306.0000000004A62000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000001.672061283.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.688856168.00000000036AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.688065638.00000000004BB000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                          Reputation:low

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >